<% component = metadata.sources.journald %>

<%= component_header(component) %>

## Config File

<%= component_config_example(component) %>

## Options

<%= options_table(component.options.to_h.values.sort) %>

## Examples

Given the following journald record:

{% code-tabs %}
{% code-tabs-item title="journald record" %}

```
__REALTIME_TIMESTAMP=1564173027000443
__MONOTONIC_TIMESTAMP=98694000446
_BOOT_ID=124c781146e841ae8d9b4590df8b9231
SYSLOG_FACILITY=3
_UID=0
_GID=0
_CAP_EFFECTIVE=3fffffffff
_MACHINE_ID=c36e9ea52800a19d214cb71b53263a28
_HOSTNAME=lorien.example.com
PRIORITY=6
_TRANSPORT=stdout
_STREAM_ID=92c79f4b45c4457490ebdefece29995e
SYSLOG_IDENTIFIER=ntpd
_PID=2156
_COMM=ntpd
_EXE=/usr/sbin/ntpd
_CMDLINE=ntpd: [priv]
_SYSTEMD_CGROUP=/system.slice/ntpd.service
_SYSTEMD_UNIT=ntpd.service
_SYSTEMD_SLICE=system.slice
_SYSTEMD_INVOCATION_ID=496ad5cd046d48e29f37f559a6d176f8
MESSAGE=reply from 192.168.1.2: offset -0.001791 delay 0.000176, next query 1500s
```
{% endcode-tabs-item %}
{% endcode-tabs %}

A [`log` event][docs.log_event] will be emitted with the following structure:

{% code-tabs %}
{% code-tabs-item title="log" %}
```javascript
{
  "timestamp": <2019-07-26T20:30:27.000443Z>,
  "message": "reply from 192.168.1.2: offset -0.001791 delay 0.000176, next query 1500s",
  "host": "lorien.example.com",
  "__REALTIME_TIMESTAMP": "1564173027000443",
  "__MONOTONIC_TIMESTAMP": "98694000446",
  "_BOOT_ID": "124c781146e841ae8d9b4590df8b9231",
  "SYSLOG_FACILITY": "3",
  "_UID": "0",
  "_GID": "0",
  "_CAP_EFFECTIVE": "3fffffffff",
  "_MACHINE_ID": "c36e9ea52800a19d214cb71b53263a28",
  "PRIORITY": "6",
  "_TRANSPORT": "stdout",
  "_STREAM_ID": "92c79f4b45c4457490ebdefece29995e",
  "SYSLOG_IDENTIFIER": "ntpd",
  "_PID": "2156",
  "_COMM": "ntpd",
  "_EXE": "/usr/sbin/ntpd",
  "_CMDLINE": "ntpd: [priv]",
  "_SYSTEMD_CGROUP": "/system.slice/ntpd.service",
  "_SYSTEMD_UNIT": "ntpd.service",
  "_SYSTEMD_SLICE": "system.slice",
  "_SYSTEMD_INVOCATION_ID": "496ad5cd046d48e29f37f559a6d176f8"
}
```

Vector extracts the `"MESSAGE"` field as `"message"`, `"_HOSTNAME"` as `"host"`, and parses `"_SOURCE_REALTIME_TIMESTAMP"` into `"timestamp"`. All other fields from journald are kept intact from the source record. You can further parse the `"message"` key with a [transform][docs.transforms], such as the [`regeex` transform][docs.regex_parser_transform].
{% endcode-tabs-item %}
{% endcode-tabs %}

## How It Works [[sort]]

<%= component_sections(component) %>

## Troubleshooting

<%= component_troubleshooting(component) %>

## Resources

<%= component_resources(component) %>
